1,885
edits
Changes
→Investigation 5: How do You Secure the Grub Boot Loader?
=== Investigation 5: How do You Secure the Grub Boot Loader? ===
{{Admon/caution|Duplicate UUIDs|Before proceeding, check your <code>/boot</code> filesystem:Use use the <code>mount</code> command to check to see which filesystem is mounted on the mount point <code>/boot</code>. If it is <code>/dev/sda5</code>, it is the wrong filesystem. This may be caused by a duplication of serial numbers which is the result of Lab 1; you can fix this problem with this series of commands:
mkdir /media/sda5 /tmp/sda5-files
umount /dev/sda5
mount /dev/sda5 /media/sda5
cp -v -R /media/sda5/* /tmp/sda5-files
umount /dev/sda5
mkfs -t ext3 /dev/sda5
mount /dev/sda5 /media/sda5
cp -v -R /tmp/sda5-files/* /media/sda5
rm -rf /tmp/sda5-files
mount -a
}}
By default, the Grub boot loader allows anyone with access to the computer at boot time to set the runlevel, or change the boot parameters, which can allow them to influence the init process and which kernel image is loaded. Anyone with access to the boot prompt can therefore bypass security controls and control which software is loaded. For example, rebooting to runlevel 1, known as single user mode, gives the user root priveleges without the need for a password! Obviously, giving a non-administrator this much control can be dangerous, and it is wise to protect the boot loader with a secure password.